Students’ info security questioned

Questions have been raised over an anonymous email sent to schools using Gallivan & Associates Student Networks as their health benefits provider.

The email seems to have originated from a student at Ontario’s Conestoga College, but has since been copied and pasted by others. It states the online health benefits opt out form was not encrypted, leaving students’ personal information vulnerable to cyber criminals:

“I have discovered that the online opt-out form for the student health plan does not utilize proper encryption (https or SSL) to protect the data that students must submit,” the email said.

“As a result, all of the sensitive identifying personal information, including first and last name, student number, date of birth, address, email, telephone numbers, health insurer info (and for some schools, like Conestoga, attached, students’ personal banking information) are transmitted without any encryption or security over the internet where anyone ‘listening’ can easily intercept it.”

The form has since been taken down after the opt-out date passed on Sept. 30. However, a screenshot attached to the email shows the form posted on Gallivan’s website, www.mystudentplan.ca.

Gallivan & Associates, a third-party company between the insurance company and plan beneficiaries, is used by a number of post-secondary organizations in Canada including the Students’ Association of Mount Royal University.

In an email sent by Brian Boechler, Gallivan & Associates client services director, the company does not deny they weren’t using an SSL certificate, describing it as an additional security measure they were in the process of establishing.

However, Spencer Brewer, an independent information security analyst, said the absence of an SSL certificate isn’t a good sign.

“The web form in the screenshot is not encrypted,” Brewer said. “The information submitted through that form would likely not have been protected from network capture.”

He noted that there could be other methods of protecting the information in place, but SSL is the most common and that is what people should look for when submitting information via web form.

In the email, Boechler states the website and its information is hosted in a secure tier-1 facility and the information stored on the servers is encrypted.

However, Brewer said the security controls described by Boechler mostly relate to Gallivan & Associates’ internal handling practices and do not protect the user’s information on its way to their server.

Although there was potential for information to be comprised, Boechler stated there’s no known breach of student information.

Brewer said: “In this case, a scenario where the form data could be captured and used for ID theft is plausible, but not likely. Regardless, I recommend that those who submitted personal information in an unsecured form keep a close eye on their credit statements and watch for unusual activity.”

He also suggested that the Students’ Association request a third-party security audit of Gallivan & Associates’ security controls to ensure they meet common standards for protecting confidentiality, integrity and availability of information.

Students’ Association VP external, Michelle Dennis, said they are currently investigating the situation but have not yet made any decisions about how they are going to proceed.